How financial institutions can set Key Performance Indicators for effective AML in four steps

In this article, we outline four practical steps that all financial institutions can follow to establish robust anti-crime KPIs and improve their risk models.
A man wearing a green jacket and glasses, standing in a hallway with yellow lights.

According to a recent report, around $3T of dirty money is circulating in the global financial system. The report also identified banks' weaknesses as one reason why combating financial crime is challenging. This is due to the lack of effective measures to track and measure success.

Banks and financial institutions need stronger KPIs for financial crime prevention that break free of ineffective traditional benchmarks.

Companies often attempt to measure their results by reducing the number of false positives or suspicious activity alerts. But these "easy" indicators are red herrings, either unattainable or distracting from the actual problems.

For example, while financial institutions track the number of "suspicious activity reports" (SARs) filed, they have no idea how many accurately identify a crime, because once they're handed off to law enforcement, tracking stops.

There are better ways to measure financial institutions' success in fighting crime, improve their risk models, and set future goals that aren't just vanity metrics but truly move the needle.

In this article, we share four practical steps that all banks and financial institutions can follow to establish robust anti-crime KPIs.

1. Start with Key Risk Indicators - KRIs

Before even considering KPIs, financial institutions must set Key Risk Indicators (KRIs). This means understanding your crime exposure in every aspect of your company; there is no one-size-fits-all.

KRIs will depend on certain elements, such as your company's size, geographical presence, customer base, distribution channels and product offering.

Every bank should already have a thorough risk assessment. What you need to do is make sure that it's differentiated across variables that affect risk, such as:

  • The industries and countries in which your customers operate (a company offering gambling services requires a stricter risk assessment from one selling sports equipment);
  • The risk level of your different branches (are they cash or credit-intensive?);
  • And the types of products you're offering (e.g., a loan for a cash-heavy business is riskier than offering car insurance).

You must also ensure that the risk assessment is regularly updated with new contextual information, such as any national risk assessments and internal data on customer behaviour, transactions, and more.

Then, you can use that assessment to determine your unique Key Risk Indicators.

For example, if your bank has opened a branch in a country that is inherently at higher risk of AML, your local customers might all be considered high-risk because of their area of operations alone.

The KRIs in that branch are a lot more nuanced to local dynamics. In this case, it would be irrational for your resulting KPI to be "reduce the number of high-risk customers," as that would basically mean closing down the branch.

You want to keep those "high-risk" customers but lower the risk incurred by your institutions. One way to do this is to establish a KPI that increases the frequency of enhanced due diligence on local customers or increases the level of local risk training of your branch employees.

Risk indicators are snapshots of historical data that only measure what has already happened. KPIs are a future indicator of where you want to be in the near future. But you have to know where you are now to know where you want to be.

2. Don't use traditional indicators as vanity metrics

Once you have established your unique KRIs, turn to the metrics you've currently been using to assess your anti-crime strategy.

Many of the figures presented to management—such as false positives, the number of high-risk customers, and the number of alerts generated—are used as "vanity metrics" because they look good when they trend downwards.

However, they are typically an unreliable snapshot of the superficial situation. They're so volatile that they can jump erratically from one day to the next, as reporting might not be consistent across days.

For example, the number of customers whose KYC is overdue is a highly valued metric within financial institutions. It measures the number of customers whose KYC data is overdue but should have been updated.

While it might be low today, the threshold could push many of your customers overdue tomorrow. The real issue you're chasing shouldn't be the number, but the efficiency of the mechanism you have in place to update KYC info. An alternative tracker could be the diffusion of automated options to customers for hassle-free KYC data updating.

Another common indicator is the number of false positives, or how many of the transaction alerts generated by the system are dismissed as false alarms upon review.

But what does that percentage really say? If false positives have decreased by 20%, does that mean your transaction monitoring system has become more discerning, or does it tell you've been completely missing a sector of transactions because the criminals' modus operandi (MOs) have changed?

Instead, you should examine whether your transaction monitoring system is working correctly and has been updated regularly with new scenarios and risk models.

Finally, you need to examine these metrics for an extended period of time to truly decipher trends and peak periods and understand the purpose behind their measurement (which feeds back into the KRIs).

3. Focus on team-based KPIs

While all the metrics mentioned have some level of ambiguity, the most straightforward metrics for any bank and financial institution are those that measure the proficiency and trustworthiness of your employees, from the first line of defence to top management.

Several KPIs can serve this purpose. In terms of proficiency, you can measure the team's efficiency in, for example, the processing time of onboarding and updating KYC or the processing time of an alert.

An essential KPI is ongoing employee training. Awareness and compliance training can be monitored regarding courses completed and resources distributed. Also, ensure your internal intelligence is constantly growing by tracking how often you send employees to conferences, read new papers on emerging trends, and more.

Your employees can be a liability if you don't have good KPIs for conducting background checks and continuously reviewing your team members.

4. Set up a KPI refinement wheel

Your main objective with KPIs should be to constantly fine-tune them. You need to set a wheel in motion: set KPIs, perform risk assessment, conduct routine monitoring and data analysis, update risk assessment, and update KPIs.

For example, suspicious activity alerts give you a broader picture of the factors impacting your risk assessment and where it needs to be refined.

You may see multiple alerts within a specific channel, such as when customers are paying online or conducting cash transactions at a particular branch. You can use that information to update the risk assessment and rework your transaction monitoring systems.

That could lead to new KPIs for increasing enhanced due diligence on customers at a specific branch or using specific channels.

In conclusion

Your work is never done. As mentioned before, this process is not about the numbers. It's about having an effective, working risk management system. Use your KPI journey to upgrade your financial crime prevention strategy as a whole.

Related articles

Talk to an expert

Discover how our solutions can help you effectively fight financial crime. Complete the form, and we will contact you shortly.